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Amendments to the Claims: 



This listing of claims will replace all prior versions, and listings, of claims in 
the application: 

Listing of Claims: 

1. (currently amended) An apparatus comprising: 

a processor executive (PE) executable on a processor to hand le load an 
operating system executive (OSE) in a secure environment, the secure environment 
having a fused key (FK) and associated with an isolated memory area in a platform 
having the processor , the OSE to manage a subset of an operating system (OS) 
running on the platform, the platform having a processor capable of selectively 
operating in on e of a normal execution mode and , alternatively, in an isolated 
execution mode, the isolated memory area being accessible to the processor in the 
isolated execution mode; 

a PE supplement to supp le ment th e PE w i th comprising a PE manifest that 
represents r e pr e s e nt i ng t he PE and a PE i d e nt i fi e r to id e nt i fy th e PE ; and 

a PE handler to handl e verify the PE using the FK and the PE supplement. 

2. (currently amended) The apparatus of claim 1 further compr i s e s comprising : 

a boot-up code to load the PE handler into the isolated memory area during a 
process of booting beet up the platform following a power on . 

3. (currently amended) The apparatus of cla i m 2 claim 1 wherein the secure 
environment includes an OSE supplement to supp le m e nt th e OSE w i th comprising 
an OSE manifest that represents roprosonting the OSE and an OSE idont i f i or to 
i dent i fy tho OSE . 
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4. (currently amended) The apparatus of c l a i m 3 claim 1 wherein the PE handler 
comprises: 

a PE loader to load the PE and th e PE supp le m e nt from a PE m e mory into 
the isolated memory area using a param e t e r b l ock prov i d e d by th e boot - up cod e; 

a PE man i f e st v e r i f ie r to v e rify th e PE man i f e st; and 

a verifier to verify the PE using the PE manifest and a constant d e r i v e d 
from th e FK . 

5. (currently amended) The apparatus of c l aim A claim 1 wherein the PE handler 
further comprises: 

a PE key generator to generate a PE key using the FK; 

a PE identifier logger to log the a PE identifier in a storage; and 

a PE entrance/exit handler to handle a PE entry and a PE exit. 

6. (currently amended) The apparatus of claim 5 wherein the PE key generator 
comprises: 

a PE key combiner to combine the PE identifier and the FK, the combined PE 
identifier and the FK corresponding to the PE key. 

7. (currently amended) The apparatus of c l aim 6 claim 3 wherein the PE 
comprises: 

an OSE loader to load the OSE and the OSE supplement into the isolated 
memory area; 

an OSE manifest verifier to verify the OSE manifest; and 
an OSE verifier to verify the OSE, 

8. (currently amended) The apparatus of c l a i m 7 claim 1 wherein the PE furth e r 
comprises: 

an OSE key generator to generate an OSE key; 

an OSE identifier logger to log the an OSE identifier in a storage; and 

an OSE entrance/exit handler to handle an OSE entry and an OSE exit. 
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9. (currently amended) The apparatus of claim 8 wherein the OSE key generator 
comprises: 

a binding key generator to generate a binding key (BK) using ihe a PE key; 

and 

an OSE key combiner to combine the OSE identifier and the BK, the 
combined OSE identifier and the BK corresponding to the OSE key. 

1 0. (currently amended) The apparatus of c l aim 9 claim 1 wherein the OSE 
comprises: 

a module loader to load a module into the isolated memory area; 
a page manager to manage paging in the isolated memory area; and 
an interface handler to handle i nt e rfac e interfacing with the OS. 

1 1 . (currently amended) The apparatus of cla i m 9 claim 10 wherein the module is 
one comprises one or more modules selected from the group consisting of an 
application module, an applet module, and a support module. 

12. (currently amended) The apparatus of claim 1 1 wherein the OSE further 
comprises: 

an applet key generator to generate an applet key assoc i at i ng associated 
with the applet module. 

13. (currently amended) The apparatus of claim 12 wherein the applet key 
generator comprises: 

an applet key combiner to combine the an OSE key with an applet identifier 
identifying the applet module, the combined OSE key and the applet identifier 
corresponding to the applet key. 
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14. (currently amended) The apparatus of c l a i m 13 claim 4 wherein the [[boot up]] 
boot-up code comprises: 

a PE locator to locate the PE and the PE supplement, the PE locator 
transferring the PE and the PE supplement into the PE memory at a PE address; 
a PE recorder to record the PE address in the a parameter block; and 
an instruction invokerto execute an isolated create instruction, the isolated 
create instruction loading the PE handler into the isolated memory area. 

15. (original) The apparatus of claim 14 wherein the isolated create instruction 
performs an atomic sequence, the atomic sequence being non-interruptible. 

16. (currently amended) The apparatus of claim 15 wherein the atomic sequence 
includes operations comprising compris e s : 

a phys i ca l m e mory op e rat i on to v e rify i f th e proc e ssor i s i n a flat physical 

pago mode; 

an atom i c r e ad and i ncr e m e nt op e rat i on to read and i ncr e m e nt reading a 
thread count register in a chipset , the road and incromont operation d e t e rmin i ng to 
determine if the processor is the first processor in the isolated execution mode; 

an i solated memory aroa control op e rat i on to conf i gur e th e ch i ps e t us i ng a 
configurat i on storag e ; 

a processor i so l at e d execution operat i on to configuro configuring the 
processor in the isolated execution mode; and 

an PE hand le r load i ng op e rat i on to l oad loading the PE handler into the 
isolated memory area. 

1 7. (currently amended) The apparatus of c l a i m 16 claim 15 wherein the atomic 
sequence of operations furth e r comprises: 

a PE hand le r v e rificat i on to v e rify th e verifying a loaded PE handler; and 
an e xit op e ration to transf e r transferring control to the loaded PE handler. 
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18. (currently amended) The apparatus of claim 16 wherein the procossor isolated 
e x e cution op e rat i on atomic sequence of operations further comprises: 

a chips e t r e ad oporation to r e ad th e reading a configuration storage in the 
chipset when the processor is not a the first processor in the isolated execution 
mode; and 

a procossor conf i gurat i on op e ration to conf i gure configuring the processor 
according to the configuration storage in the chipset when the processor is not the 
first processor in the isolated execution mode. 

19. (currently amended) The apparatus of claim 18 wherein the chipset includes at 
least one hub selected from the group consisting of a memory controller hub (MCH) 
and an input/output controller hub (ICH). 

20. (original) The apparatus of claim 8 wherein the storage is in an input/output 
controller hub (ICH) external to the processor. 
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21. (currently amended) A method comprising: 

liand li ng loading an operating system executive (OSE) by a prooossor 
oxocut i vo (PE) i n a s e curo env i ronm e nt into an isolated memory area of a platform , 
the s e cur e e nvironm e nt platform having a fused key (FK) and a processor capable 
of selectively operating in a normal execution mode and, alternatively, in an isolated 
execution mode associated w i th an i so l at e d m e mory ar e a i n a p l atform , the OSE to 
manage a subset of an operating system (OS) running on the platform, th e p l atform 
having a procossor operat i ng i n on e of a norma l oxocution modo and an i so l ated 
e xecut i on mode, the isolated memory area being accessible to the processor in the 
isolated execution mode , the loading of the OSE initiated by a processor executive 
(PE) executing on the processor : 

supp le m e nt i ng th e PE using a PE supp le m e nt, th e PE suppl e m e nt hav i ng a 
PE man i f e st r e pr e s e nt i ng th e PE and a PE id e nt i f ie r to id e nt i fy th e PE; and 

handl i ng verifying the PE by a PE handler using the FK and the a PE 
supplement having a PE manifest that represents the PE . 

22. (currently amended) The method of claim 21 further compris e s comprising : 

loading the PE handler into the isolated memory area during a process of 
booting up the platform by a boot up cod e fo ll owing a pow e r on . 

23. (canceled) 

24. (currently amended) The method of cla i m 23 claim 21 wherein handling the PE 
compr i s e s handler performs operations comprising : 

loading the PE and th e PE suppl e m e nt from a PE m e mory into the isolated 
memory area using a param e t e r b l ock prov i d e d by th e boot up cod e; 
v e r i fy i ng th e PE man i f e st; and 

verifying the PE using the PE manifest and a constant d e rived from th e FK . 
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25. (currently amended) The method of claim 24 wherein hand li ng the PE faftl=^ 
compris e s handler performs operations comprising : 

generating a PE key using the FK; 
logging the a PE identifier in a storage; and 
handling a PE entry and a PE exit. 

26. (currently amended) The method of claim 25 wherein generating the PE key 
comprises: 

combining the PE identifier and the FK, the combined PE identifier and the 
FK corresponding to the PE key. 

27. (currently amended) The method of c l a i m 26 whoroin hand li ng the OSE 
comprises claim 21 , further comprising : 

l oad i ng tho OSE and the OSE supp l ement i nto th e i solated memory aroa; 
v e r i fying th e OSE man i f e st; and 

verifying the OSE after loading the OSE into the isolated memon/ area . 

28. (currently amended) The method of c l a i m 27 claim 21 wherein handling tho 
OSE further compr i ses the operations performed by the PE comprise : 

generating an OSE key; 

logging the an OSE identifier in a storage; and 

handling an OSE entry and an OSE exit. 

29. (currently amended) The method of claim 28 wherein generating the OSE key 
comprises: 

generating a binding key (BK) using the PE key; and 
combining the OSE identifier and the BK, the combined OSE identifier and 
the BK corresponding to the OSE key. 
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30. (currently amended) The method of c l aim 20 claim 21 wherein manag i ng the 
OSE manages the subset of the OS by performing operations comprising 
compris e s : 

loading a module into the isolated memory area; 
managing paging in the isolated memory area; and 
hand li ng i ntorfaco interfacing with the OS, 

31 . (currently amended) The method of claim 29 wherein the module i s on e 
comprises one or more modules selected from the group consisting of an 
application module, an applet module, and a support module. 

32. (currently amended) The method of claim 31 wherein manag i ng th e subs e t of 
th e OS the OSE performs further operations comprising compris e s : 

generating an applet key associating associated with the applet module. 

33. (currently amended) The method of claim 32 wherein g e n e rat i ng th e appl e t k e y 
compr i s e s : 

comb i n i ng the OSE combines the an OSE key with an applet identifier 
identifying the applet module, the combined OSE key and ^ applet identifier 
corresponding to the applet key. 

34. (currently amended) The method of c l a i m 33 wh e r ei n booting up compr i s e s 
claim 21, further comprising : 

locating the PE and the PE supplement; 

transferring the PE and the PE supplement into the PE memory at a PE 

address during a process of booting the platform : 

recording the PE address in the a parameter block; and 

executing an isolated create instruction during the process of booting the 

platform , the isolated create instruction loading the PE handler into the isolated 

memory area. 
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35. (original) The method of claim 34 wherein executing the isolated create 
instruction comprises performing an atomic sequence, the atomic sequence being 
non-interruptible. 

36. (currently amended) The method of claim 35 wherein performing the atomic 
sequence comprises: 

v e r i fy i ng if th e proc e ssor i s i n a flat phys i cal page mod e ; 
reading and incr e m e nt i ng a thread count register in a chipset to determine if 
the processor is the first processor in the isolated execution mode; 
configur i ng the ch i ps e t using a conf i guration storage; 
configuring the processor in the isolated execution mode; and 
loading the PE handler into the isolated memory area. 

37. (currently amended) The method of c l aim 36 claim 35 wherein performing the 
atomic sequence further comprises: 

verifying ^ a loaded PE handler; and 
transferring control to the loaded PE handler. 

38. (currently amended) The method of claim 36 wherein configuring the processor 
in the isolated execution mode comprises: 

reading the a configuration storage in the chipset when the processor is not a 
the first processor in the isolated execution mode; and 

configuring the processor according to the configuration storage in the 
chipset when the processor is not the first processor in the isolated execution mode. 

39. (currently amended) The method of claim 38 wherein the chipset includes at 
least one hub selected from the group consisting of a memory controller hub (MCH) 
and an input/output controller hub (ICH). 

40. (original) The method of claim 28 wherein the storage is in an input/output 
controller hub (ICH) external to the processor. 
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41-60. (canceled) 

61 . (currently amended) A system comprising: 

a processor capable of selectively operating in one of a normal execution 
mode and , alternatively, in an isolated execution mode; 

a memory coupled to the processor having an isolated memory area 
accessible to the processor in the isolated execution mode; aR4 

an e x e cut i v e subsyst e m compr i s i ng: 

a processor executive (PE) executable on the processor to hand le load an 
operating system executive (OSE) in a secure environment, the secure environment 
having a fused key (FK) and associated with the isolated memory, the OSE to 
manage a subset of an operating system (0S)[[,]]; 

a PE supplement residing in storage within the system, the PE supplement te 
suppl e m e nt th e PE w i th comprising a PE manifest that represents r e pr e s e nt i ng the 
PE and a PE id e ntif ie r to i dent i fy tho PE,; and 

a PE handler to hand le verify the PE using the FK and the PE supplement. 

62. (currently amended) The system of claim 61 wh e r ei n th e e x e cut i v e subsyst e m 
further compr i s e s comprising : 

a boot-up code to load the PE handler into the isolated memory area during a 
process of booting boot up the platform fo ll ow i ng a pow e r on . 

63. (currently amended) The system of c l aim 62 claim 61 wherein the secure 
environment includes an OSE supplement to supp l omont tho OSE w i th comprising 
an OSE manifest that represents r e pr e s e nt i ng the OSE and an OSE i d e nt i fi e r to 
i dent i fy tho OSE . 
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64. (currently amended) The system of cla i m 63 claim 61 wherein the PE handler 
comprises: 

a PE loader to load the PE and tho PE supp le ment from a PE m e mory into 
the isolated memory area us i ng a param e t e r b l ock provided by the boot up code ; 

a PE man i fest v e rif i er to v e r i fy th e PE manifest; and 

a PE verifier to verify the PE using the PE manifest and a constant d e r i v e d 
from th e FK . 

65. (currently amended) The system of c l a i m 6^ claim 61 wherein the PE handler 
furth e r comprises: 

a PE key generator to generate a PE key using the FK; 

a PE identifier logger to log the a PE identifier in a storage; and 

a PE entrance/exit handler to handle a PE entry and a PE exit. 

66. (currently amended) The system of claim 65 wherein the PE key generator 
comprises: 

a PE key combiner to combine the PE identifier and the FK, the combined PE 
identifier and the FK corresponding to the PE key. 

67. (currently amended) The system of c l a i m 66 claim 63 wherein the PE 
comprises: 

an OSE loader to load the OSE and the OSE supplement into the isolated 
memory area; 

an OSE manifest verifier to verify the OSE manifest; and 
an OSE verifier to verify the OSE. 

68. (currently amended) The system of c l a i m 67 claim 61 wherein the PE furthor 
comprises: 

an OSE key generator to generate an OSE key; 

an OSE identifier logger to log ihe an OSE identifier in a storage; and 

an OSE entrance/exit handler to handle an OSE entry and an OSE exit. 
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69. (currently amended) The system of claim 68 wherein the OSE key generator 
comprises: 

a binding key generator to generate a binding key (BK) using the a PE key; 

and 

an OSE key combiner to combine the OSE identifier and the BK, the 
combined OSE identifier and the BK corresponding to the OSE key. 

70. (currently amended) The system of c l aim 69 claim 61 wherein the OSE 
comprises: 

a module loader to load a module into the isolated memory area; 
a page manager to manage paging in the isolated memory area; and 
an interface handler to handle interfac e interfacing with the OS. 

71 . (currently amended) The system of claim 69 claim 70 wherein the module is 
one comprises one or more modules selected from the group consisting of an 
application module, an applet module, and a support module. 

72. (currently amended) The system of claim 71 wherein the OSE further 
comprises: 

an applet key generator to generate an applet key associat i ng associated 
with the applet module, 

73. (currently amended) The system of claim 72 wherein the applet key generator 
comprises: 

an applet key combiner to combine the an OSE key with an applet identifier 
identifying the applet module, the combined OSE key and the applet identifier 
corresponding to the applet key. 
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74. (currently amended) The system of c l aim 73 claim 64 wherein the [[boot up]] 
boot-up code comprises: 

a PE locator to locate the PE and the PE supplement, the PE locator 
transferring the PE and the PE supplement into the PE memory at a PE address; 
a PE recorder to record the PE address in the a parameter block; and 
an instruction invoker to execute an isolated create instruction, the isolated 
create instruction loading the PE handler into the isolated memory area. 

75. (original) The system of claim 74 wherein the isolated create instruction 
performs an atomic sequence, the atomic sequence being non-interruptible. 

76. (currently amended) The system of claim 75 wherein the atomic sequence 
includes operations comprising compris e s : 

a phys i ca l m e mory op e ration to v e r i fy i f th e proc e ssor i s in a flat physical 
page mode; 

an atomic r e ad and i ncromont operat i on to read and i ncrem e nt reading a 
thread count register in a chipset , tho road and incromont operation d e t e rm i ning to 
determine if the processor is the first processor in the isolated execution mode; 

an i so l at e d m e mory ar e a contro l op e rat i on to configur e th e ch i ps e t using a 
conf i guration storag e ; 

a proc e ssor i so l at e d e x e cution op e ration to conf i gur e configuring the 
processor in the isolated execution mode; and 

an PE hand l er l oad i ng operation to load loading the PE handler into the 
isolated memory area. 

77. (currently amended) The system of cla i m 76 claim 75 wherein the atomic 
sequence of operations furth e r comprises: 

a PE hand le r v e r i ficat i on to v e r i fy th e verifying a loaded PE handler; and 
an e xit operation to transfer transferring control to the loaded PE handler. 
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78. (currently amended) The system of claim 76 wherein the procoosor i Go l atod 
ex e cut i on op e rat i on atomic sequence of operations further comprises: 

a ch i pset road operat i on to road tho reading a configuration storage in the 
chipset when the processor is not a the first processor in the isolated execution 
mode; and 

a proc e ssor configurat i on op e ration to configur e configuring the processor 
according to the configuration storage in the chipset when the processor is not the 
first processor in the isolated execution mode. 

79. (currently amended) The system of claim 78 wherein the chipset includes at 
least one hub selected from the group consisting of a memory controller hub (MCH) 
and an input/output controller hub (ICH). 

80. (original) The system of claim 68 wherein the storage is in an input/output 
controller hub (ICH) external to the processor. 

81. (new) An apparatus comprising: 

a machine accessible medium; and 

instructions encoded in the machine accessible medium, wherein the 
instructions, when executed in a platform, cause the platform to perform operations 
comprising: 

loading an operating system executive (OSE) into an isolated memory area of 
a platform, the platform having a fused key (FK) and a processor capable of 
selectively operating in a normal execution mode and, alternatively, in an isolated 
execution mode, the OSE to manage a subset of an operating system (OS) running 
on the platform, the isolated memory area being accessible to the processor in the 
isolated execution mode, the loading of the OSE initiated by a processor executive 
(PE) executing on the processor; and 

verifying the PE using the FK and a PE supplement having a PE manifest 
that represents the PE. 
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82. (new) An apparatus according to claim 81. wherein the instructions implement 
boot-up code that performs operations comprising: 

loading the PE handler into the isolated memory area during a process of 
booting up the platform, 

83. (new) An apparatus according to claim 81, wherein the instructions implement 
a PE handler that performs operations comprising: 

loading the PE into the isolated memory area; and 
verifying the PE manifest using the PE manifest. 

84. (new) An apparatus according to claim 81, wherein the instructions implement 
a PE handler that performs operations comprising: 

generating a PE key using the FK; 
logging a PE identifier in a storage; and 
handling a PE entry and a PE exit. 

85. (new) An apparatus according to claim 84, wherein the PE handler generates 
the PE key based at least in part on a combination of the PE identifier and the FK. 

86. (new) An apparatus according to claim 81, wherein the instructions cause the 
platform to verify the OSE after loading the OSE into the isolated memory area. 

87. (new) An apparatus according to claim 81, wherein the instructions implement 
the PE, and the operations performed by the PE comprise: 

generating an OSE key; 

logging an OSE identifier in a storage; and 

handling an OSE entry and an OSE exit. 

88. (new) An apparatus according to claim 87, wherein the PE stores the OSE 
identifier in an input/output controller hub (ICH) external to the processor. 
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89. (new) An apparatus according to claim 81, wherein the instructions cause the 
platform to perform operations comprising: 

generating a binding key (BK) using the PE key; and 
generating the OSE key based at least in part on a combination of the OSE 
identifier and the BK. 

90. (new) An apparatus according to claim 81, wherein the instructions implement 
the OSE, and the OSE manages the subset of the OS by performing operations 
comprising: 

loading a module into the isolated memory area; 
managing paging in the isolated memory area; and 
interfacing with the OS. 

91. (new) An apparatus according to claim 90, wherein the module loaded by the 
OSE comprises one or more modules selected from the group consisting of an 
application module, an applet module, and a support module. 

92. (new) An apparatus according to claim 91 wherein the OSE performs further 
operations comprising: 

generating an applet key associated with the applet module. 

93. (new) An apparatus according to claim 92, wherein the OSE generates the 
applet key based at least in part on a combination of an OSE key with an applet 
identifier identifying the applet module. 

94. (new) An apparatus according to claim 81 , wherein the instmctions cause the 
platform to perform operations comprising: 

locating the PE and the PE supplement; 

transferring the PE and the PE supplement into the PE memory at a PE 
address during a process of booting the platform; 
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recording the PE address in a parameter block; and 

executing an isolated create instruction during tine process of booting the 
platform, the isolated create instruction loading the PE handler into the isolated 
memory area. 

95. (new) An apparatus according to claim 94, wherein executing the isolated 
create instruction comprises performing an atomic sequence, the atomic sequence 
being non-interruptible. 

96. (new) An apparatus according to claim 95, wherein performing the atomic 
sequence comprises: 

reading a thread count register in a chipset to determine if the processor is 
the first processor in the isolated execution mode; 

configuring the processor in the isolated execution mode; and 
loading the PE handler into the isolated memory area. 

97. (new) An apparatus according to claim 95, wherein performing the atomic 
sequence comprises: 

verifying a loaded PE handler; and 
transferring control to the loaded PE handler, 

98. (new) An apparatus according to claim 95, wherein configuring the processor in 
the isolated execution mode comprises: 

reading a configuration storage in the chipset when the processor is not the 
first processor in the isolated execution mode; and 

configuring the processor according to the configuration storage in the 
chipset when the processor is not the first processor in the isolated execution mode, 

99. (new) An apparatus according to claim 95, wherein the chipset includes at least 
one hub selected from the group consisting of a memory controller hub (MCH) and 
an input/output controller hub (ICH), 
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